Reported February 12, 2003, by Thomas Adams.
VERSIONS AFFECTED
-
Abyss Web Server 1.1.2 and earlier
DESCRIPTION
A vulnerability in Aprelium's Abyss Web Server 1.1.2 and earlier can permit an attacker to gain administrative access to the Web server. By connecting to the remote Web management interface at http://abyss_server:9999, the attacker can use a brute-force method to access the server. The attacker can use an indefinite number of attempts to enter a valid username and password, and the software uses no delay to penalize wrong attempts. Abyss has no logging for port 9999 (unlike the access.log file for port 80).
VENDOR RESPONSE
Aprelium has been notifed and will release a patch or new version that isn't vulnerable to these conditions.
CREDIT
Discovered by Thomas Adams.